Web750 Support Articles and How-to guides:

WordPress Essential Security Setup – protect your website from malware and hacking attacks.

Ensuring WordPress security holds paramount significance for all website owners. Daily, Google blacklists over 10,000 websites due to malware and flags approximately 50,000 sites for phishing weekly.

If safeguarding your website is a priority, adopting the best WordPress security practices becomes imperative. This comprehensive guide will furnish you with the top WordPress security tips to effectively shield your website from hackers and malware.

Why do you need WordPress security?

WordPress security is of utmost importance for several compelling reasons. Firstly, WordPress is one of the most popular content management systems globally, making it an attractive target for hackers seeking to exploit vulnerabilities and gain unauthorized access to websites. Without adequate security, your website becomes susceptible to various threats, such as malware injections, brute force attacks, and phishing attempts.

Secondly, a compromised website can result in severe consequences, including loss of sensitive data, damage to your reputation, and potential legal liabilities. Visitors' trust can be shattered if their personal information is compromised, significantly losing traffic and business opportunities.

Moreover, search engines like Google actively blacklist websites containing malicious content, negatively impacting your site's SEO ranking and visibility. That can be detrimental to your web presence and credibility.

By investing in WordPress security, you proactively protect your website, users, and business interests. Implementing strong security practices, regular updates, robust password policies, and security plugins can significantly reduce the risk of cyber threats and provide peace of mind, allowing you to focus on your website's growth and success.

Here are some action steps you can implement to safeguard your website from security vulnerabilities.

Update WordPress Version Regularly

Regularly updating your WordPress version is vital for your website's security, stability, and performance. WordPress releases updates to fix bugs, address vulnerabilities, and introduce new features. By staying up-to-date, you protect your site from potential security breaches and ensure compatibility with the latest themes and plugins.

To update, check the dashboard for available updates, back up your website, and test the updates in a staging environment. Remember to update the core files first, followed by themes and plugins. Maintaining an updated WordPress version will provide a seamless user experience and safeguard your site from potential threats.

Implement Secure Login Credentials for WP-Admin

Secure WP-Admin login credentials are paramount to safeguard your WordPress website from unauthorized access and potential cyber threats. Start by choosing strong and unique usernames, avoiding generic ones like "admin." Combine using uppercase and lowercase letters, numbers, and special characters to create robust passwords that are difficult to crack. Enable two-factor authentication (2FA) for an extra layer of security, requiring a verification code in addition to your password.

Limit login attempts to prevent brute-force attacks. Regularly update login credentials and avoid sharing them through insecure channels. Plan to use a Virtual Private Network (VPN) when accessing WP-Admin from public networks. By implementing these measures, you significantly enhance the security of your WP-Admin login, protecting your website and sensitive data from potential threats.

To create an additional or new WordPress administrator account with a unique username, log in to the WordPress dashboard, navigate to "Users," click "Add New," provide a username, email, and password, select "Administrator" as the role, and click "Add New User." Log in using the new credentials for admin access.

Create a strong password by combining numbers, symbols, and uppercase and lowercase letters. For enhanced security, opt for passwords longer than 12 characters, as they are significantly more challenging to crack.

Using Trusted WordPress Themes

Using trusted WordPress themes is a fundamental step in setting up essential security for your WordPress website. Trusted themes are developed and maintained by reputable authors or companies, ensuring they follow coding best practices and undergo regular security audits. By opting for such themes, you reduce the danger of vulnerabilities that hackers and bad actors can exploit.

Avoid downloading themes from unreliable websites, which may contain hidden malware or malicious code. Additionally, ensure that the chosen theme is compatible with your current WordPress version and popular plugins to avoid potential conflicts.

To minimize the risk of being targeted by hackers, selecting WordPress themes exclusively from the official repository or trusted developers is advisable. Alternatively, you can explore third-party themes within official theme marketplaces like ThemeForest, offering a vast array of premium themes. By adhering to these guidelines, you enhance the security of your WordPress-based website and reduce the likelihood of potential security breaches.

Establishing a Safelist and Blocklist for the Admin Page

Set up a safelist and blocklist to bolster essential security for your WordPress admin page. Create a safelist containing authorized IP addresses or IP ranges from which admin access is permitted. That ensures that only trusted users can access the admin area. Simultaneously, implement a blocklist to deny access from suspicious or unauthorized IPs known for malicious activities. Using plugins or server configurations, you can easily manage these lists and fortify your website's defenses against unauthorized access attempts, significantly reducing the risk of potential security threats.

Install SSL Certificate

Installing an SSL certificate security on your WordPress website is a fundamental security step that guarantees encrypted communication between your server and visitors. That ensures the integrity and confidentiality of data transmitted between users and your website.

Firstly, you must purchase an SSL certificate from a trusted Certificate Authority (CA). After validation, you'll receive a certificate file which you'll need to install on your web server.

For those using a hosting provider that offers cPanel, the process involves uploading the certificate file via the SSL/TLS manager. Then, you must update your WordPress settings to HTTPS instead of HTTP.

The process is more straightforward for websites hosted on managed WordPress hosting platforms. Most providers offer one-click SSL installation or even automatically install SSL.

Once installed, ensure all your content loads over HTTPS, not HTTP, to avoid mixed content issues. Use plugins like Really Simple SSL to facilitate this process. Always remember having an SSL is essential to build trust with users and for SEO ranking.

Remove Unused WordPress Plugins and Themes

Unused themes and plugins can pose a security risk to your WordPress website. Keeping them on your site, even inactive, can become a backdoor for hackers if not regularly updated. Here's how to safely remove them:

Firstly, back up your website. This is a crucial step before making significant changes to your WordPress site.

Next, deactivate unused plugins. Navigate to your WordPress dashboard, click 'Plugins,' and see a list of all installed plugins. For each unused plugin, click 'Deactivate', then 'Delete'.

For themes, go to 'Appearance' > 'Themes'. You'll see all your installed themes. Keep the currently active and default WordPress themes (like Twenty-One). For any other unused themes, hover over the theme and click 'Theme Details', then click 'Delete' in the bottom right corner.

Remember, having only necessary and up-to-date themes and plugins reduces potential vulnerabilities. Maintaining this as part of your security setup helps to ensure your WordPress site remains safe and secure.

Improve WordPress security by using WordPress plugins.

While it's handy to safeguard your website using these plugins, it's essential not to install them all simultaneously without proper thought. An overload of plugins can result in the slowdown of your site.

Initially, determine your requirements to select the most suitable plugins for your website.

Enable Two-Factor Authentication for WP-Admin

Enabling Two-Factor Authentication (2FA) for your WordPress admin area adds an extra layer of security, reducing the risk of unauthorized access.

To set up 2FA, you'll need a plugin like Wordfence, Jetpack, or Google Authenticator. Once installed and activated, navigate to the plugin's settings in your WordPress dashboard.

You'll usually be asked to link your account with an authentication app on your mobile phone, such as Google Authenticator or Authy. Once linked, each time you log in to your WP-admin, you'll be prompted to enter a one-time passcode from your authenticator app after entering your password.

By enabling 2FA, you're significantly improving your WordPress website's security, making it more resilient to breaches.

Backup WordPress Regularly

Regularly backing up your WordPress site is vital to your security setup. Backups safeguard your content and data if your site is ever compromised or experiences technical issues.

You can backup your WordPress website manually or use a plugin like UpdraftPlus, BackupBuddy, or VaultPress. These plugins can automatically back up your site at regular intervals.

After installation and activation:

Go to the plugin settings.

Set your preferred backup schedule.

Specify your backups' backup location.

You can store backups in cloud storage services like Google Drive, Dropbox, or Amazon S3.

Regular backups offer peace of mind, knowing you can quickly recover your WordPress site in an emergency.

Limit Login Attempts

Limiting login attempts is a robust security measure for your WordPress site, protecting it from brute-force attacks. These attacks involve hackers attempting to gain access by repeatedly guessing your password.

To limit login attempts, you should use plugins like Limit Login Attempts Reloaded or Login LockDown. After installing and activating your chosen plugin, go to its settings in your WordPress dashboard.

Here, you can set the maximum number of login attempts before the IP and lockout duration get blocked. You can also get notified via email after several failed attempts.

Limiting login attempts makes it significantly more challenging for unauthorized users to gain "brute force" access to your site.

Change the WordPress Login Page URL

Changing the default WordPress login URL is an adequate security precaution that can significantly reduce the chances of brute-force attacks. By default, the WordPress login URL is yoursite.com/wp-admin or yoursite.com/wp-login.php. Hackers commonly target these URLs.

To change your login URL, use a security plugin like WPS Hide Login or iThemes Security. After installing and activating the new plugin, navigate to its settings in the WordPress dashboard.

In the settings, specify a new login URL. Make it unique but easy to remember—for example, yoursite.com/my-new-login. The old WordPress login URLs will now redirect to your homepage, making it harder for hackers to find your login page.

Remember, changing the login URL should be a part of a larger security strategy, as it is one of the many ways to protect your WordPress site.

Monitor User Activity

Monitoring ongoing user activity is essential to maintaining a secure WordPress website. It allows you to track and log user actions, giving you visibility into who is doing what on your site. That can be particularly helpful in identifying suspicious behavior or actions that could compromise your site's security.

Use a plugin like WP Activity Log or Activity Log to monitor user activity. Once installed and activated, these plugins can track actions like user logins, password changes, theme changes, plugin installations, and updates or modifications to posts and pages.

These plugins often allow you to customize the level of tracking and can provide reports and real-time alerts for specific activities. Regularly monitoring and reviewing user activity can help you quickly detect and respond to various security threats, ensuring the ongoing safety of your WordPress site.

Automatically Sign Out Inactive Users from WordPress

Automatically logging out idle users is an intelligent security measure for your WordPress site. It prevents unauthorized actions from occurring if a user leaves their device unattended while logged in to your website.

To implement this, you can use a plugin like Idle User Logout or BulletProof Security. Once installed and activated, navigate to the plugin's settings in your WordPress dashboard.

Here, you can define the idle time after which a user should be logged out. You can also usually set up a countdown dialog warning users before they're logged out. Some plugins provide an option to exempt specific user roles from automatic logouts.

By automatically logging out idle users, you significantly reduce the risk of unauthorized activity on your site, enhancing its overall security.

Check for WordPress Malware

Regularly checking for malware is an essential part of maintaining the security of your WordPress site. Malware can lead to data theft, site blacklisting, or loss of website access.

To perform malware scanning, use a security plugin like Wordfence, Sucuri Security, or iThemes Security. These plugins can scan your site for malware, malicious code, and other security threats.

After installing and activating your chosen plugin, navigate to its dashboard within your WordPress admin area. Here, you can initiate a malware scan. Some plugins also offer automatic scheduled scans.

These plugins detect malware and offer solutions to fix detected issues. It's essential to regularly update your security plugin to ensure that it can identify and protect against the newest threats.

By actively checking for malware, you help ensure your WordPress site's ongoing security and integrity.

How to enhance your WordPress website security without using plugins?

Enhancing your website security is achievable even without relying on plugins. Here we will show step by step.

Migrate to a hosting provider that specializing in managed WordPress web hosting

Migrating to a more secure web host is a proactive approach to enhancing your website security without using plugins. By opting for a reputable hosting provider with robust security measures, you can fortify your website against potential threats and vulnerabilities. A secure web host typically employs advanced firewalls, regular security updates, and intrusion detection systems, reducing the risk of cyberattacks. A reliable host may also offer features like SSL certificates, secure file transfer protocols, and secure data centers to safeguard your website and visitors' data. Choosing a secure web host is fundamental in bolstering your website's defense and ensuring a safe online environment for your users.

Turn File Editing Off

Turning off file editing in WordPress is a common security measure, preventing unauthorized changes to your theme and selecting plugin files directly from the WordPress admin area. You can do this by adding a line of code to your wp-config.php file located in the root directory of your customized WordPress installation. Here's the code you need to add: define('DISALLOW_FILE_EDIT', true);

After adding this line to your wp-config.php file, save the changes and upload it back to your server if necessary. The theme and plugin editors will be disabled in the WordPress admin area, enhancing your website's security.

Change the Default WordPress Database Prefix

Changing the default WordPress database prefix helps improve site security. First, always back up your database. In wp-config.php, locate $table_prefix = 'wp_'; and replace 'wp_' with a new prefix, e.g., $table_prefix = 'a1b2c3_';. Next, in your database, change the prefix for each table from 'wp_' to your new prefix. Do the same for any options and user meta fields with the old prefix. That can be a complex process and requires knowledge of databases. Always back up before making changes, and consider using a security plugin that simplifies this process, reducing risks associated with manual alterations.


Cyberattacks, such as malware injection and DDoS attacks, pose significant threats. WordPress websites are particularly vulnerable due to their widespread use, making them attractive targets for hackers. Thus, WordPress website owners must understand how to secure their sites effectively.

Yet, securing a WordPress site is more than just a one-and-done affair. Continuous assessment is vital as cyberattacks constantly evolve. Although risks persist, implementing WordPress security measures can significantly mitigate them. By staying proactive and adopting robust security practices, website owners can safeguard their WordPress sites and protect against potential breaches.

Useful links / Resources

  • WordPress Security (Official by WordPress.org)

  • The Definitive WordPress Security Guide (Sucuri)

  • WordPress Security Plug-in (Wordfence)

  • The Ultimate WordPress Security Guide (WP beginner)

  • WordPress Security Plug-ins (Official by WordPress.org)

  • Support Article (in Spanish)

  • Support Article (in Portuguese)

  • Managed WordPress cloud web hosting plans (Web750)

  • Go back to Web750